#!/bin/bash

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

# Export the keystore password for use in ws.conf
export KEY_PASSWORD=`cat scripts/password`

# Turn on HTTPS, turn off HTTP.
# This should be https://example.com:9443
JVM_OPTIONS="$JVM_OPTIONS -Dhttp.port=disabled"
JVM_OPTIONS="$JVM_OPTIONS -Dhttps.port=9443"

# Note that using the HTTPS port by itself doesn't set rh.secure=true.
# rh.secure will only return true if the "X-Forwarded-Proto" header is set, and
# if the value in that header is "https", if either the local address is 127.0.0.1, or if
# trustxforwarded is configured to be true in the application configuration file.

# Define the SSLEngineProvider in our own class.
JVM_OPTIONS="$JVM_OPTIONS -Dplay.http.sslengineprovider=https.CustomSSLEngineProvider"

# Enable this if you want to turn on client authentication
#JVM_OPTIONS="$JVM_OPTIONS -Dplay.ssl.needClientAuth=true"

# Enable the handshake parameter to be extended for better protection.
# https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-D9B216E8-3EFC-4882-B76E-17A87D8F2F9D
# Only relevant for "DHE_RSA", "DHE_DSS", "DH_ANON" algorithms, in ServerHandshaker.java.
JVM_OPTIONS="$JVM_OPTIONS -Djdk.tls.ephemeralDHKeySize=2048"

# Don't allow client to dictate terms - this can also be used for DoS attacks.
# Undocumented, defined in https://github.com/openjdk/jdk11u/blob/jdk-11.0.20%2B1/src/java.base/share/classes/sun/security/ssl/ServerHandshakeContext.java#L35-L43
JVM_OPTIONS="$JVM_OPTIONS -Djdk.tls.rejectClientInitiatedRenegotiation=true"

# Add more details to the disabled algorithms list
# https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-0A438179-32A7-4900-A81C-29E3073E1E90
# and https://bugs.java.com/bugdatabase/view_bug.do?bug_id=7133344
JVM_OPTIONS="$JVM_OPTIONS -Djava.security.properties=disabledAlgorithms.properties"

# Fix a version number problem in SSLv3 and TLS version 1.0.
# https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html
JVM_OPTIONS="$JVM_OPTIONS -Dcom.sun.net.ssl.rsaPreMasterSecretFix=true"

# Enable this if you need to use OCSP or CRL
# https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html#GUID-E6E737DB-4000-4005-969E-BCD0238B1566
#JVM_OPTIONS="$JVM_OPTIONS -Dcom.sun.security.enableCRLDP=true"
#JVM_OPTIONS="$JVM_OPTIONS -Dcom.sun.net.ssl.checkRevocation=true"

# Enable this if you need TLS debugging
# https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-31B7E142-B874-46E9-8DD0-4E18EC0EB2CF
#JVM_OPTIONS="$JVM_OPTIONS -Djavax.net.debug=ssl:handshake"

# Change this if you need X.509 certificate debugging
# https://docs.oracle.com/en/java/javase/11/security/troubleshooting-security.html
#JVM_OPTIONS="$JVM_OPTIONS -Djava.security.debug=certpath:x509:ocsp"

JVM_OPTIONS="$JVM_OPTIONS -Dkey.password=$KEY_PASSWORD"
JVM_OPTIONS="$JVM_OPTIONS -DcertificateDirectory=$DIR/scripts"
JVM_OPTIONS="$JVM_OPTIONS -Dtestserver.httpsport=19001"

## Ucomment the following to debug SSL issues.
#export SBT_OPTS="$SBT_OPTS -Djavax.net.debug=all"

# Run Play
sbt $JVM_OPTIONS $*;
